abartlet at pcug.org.au
Wed Sep 26 07:31:24 GMT 2001
"Mayers, Philip J" wrote:
> It's doable. I made a start adding NTLMSSP-ExtendedSecurity into smbd and
> libsmbclient, but the authentication rewrite was going on, and the codebase
> just changed too quickly, plus other commitments meant I had a hard time
> keeping up. I didn't look at smbmount, but in *theory* as long as the
> SessSetup&X happens in the user-space code, it would be quite easy.
Correct, the kernel only get the connection after the tree connect, so
the session setup is long gone.
> The kernel module would have to upcall out to the userspace code for
> rekeying (although there are some interesting code-sharing possibilities
> with the CITI NFSv4 work...). I suspect an architecture similar to CIPEs
> would be best - convert the socket into "something else" by altering the
> kernel vfs ops for it, only passing certain pseudo-packets back to SMBmount.
> You could even implement signing and sealing in userspace that way.
> Once extended-security negotiation works reliably with NTLMSSPv1/2, adding
> in a Kerberos version would be relatively trivial. However, library license
> issues (I prefer MIT kerberos over Heimdal) might be a problem. If someone
> would like to assist me in trying this again, I'll have time in a couple of
> weeks after the start of term has settled down to a simmer :o) I got stuck
> getting NTLMSSP working, as I started to see NTLMSSP packets the like of
> which have never been seen!
If I can be of *any* assistance whatsoever in this just give me an
e-mail. This is exactly the kind of thing I have been attempting to
make this 'AuthRewrite' capable of supporting, and I'm sorry to hear it
got in your way.
Furthermore, if there bits of this code where getting the infrustruture
in would help, or where my keeping the changes sane could make you life
easier, just tell me :-)
Andrew Bartlett abartlet at pcug.org.au
Samba Team member, Build Farm maintainer abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba-technical